Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.0.3
-
None
Description
It is possible to change content on a Magnolia public instance by executing links like the following:
This link - for example - moves a content node inside the node hierarchy.
Maybe here is a good solution for this problem:
The main problem is that the user's authority isn't checked inside the MgnlInterceptFilter.
Inside the "doFilter"-Method the code should be changed like this:
if (isAuthorized(request, response) && Server.isAdmin())
{ ... }This solution helps to prevent executing those "evil" links in the public instance.
Checklists
Acceptance criteria
Attachments
Issue Links
- is depended upon by
-
MAGNOLIA-1753 activation: latest security fix blocks activation (versioning)
-
- Closed
-